S/MIME Secure Messaging Certification
On Monday April 24, The Open Group launched the
S/MIME Secure Messaging Certification program to identify
organizations and individuals who are able to support the deployment of
secure email systems. The program will speed up the deployment of
standards-based email encryption systems, and enable enterprises to
meet the increasing stringent regulatory requirements for privacy of
email. To date, enterprises leading the deployment of secure email
have been hampered by the lack of ability of their business partners to
deploy interoperable systems and the difficulty in identification of
professional service companies and individuals that are able to provide
support.
Certification is based on the S/MIME Secure
Messaging Architecture, published by The Open Group Messaging Forum,
which sets out a flexible, standards-based architectural approach to
secure email, that ensures interoperability.
Allen Brown, President and CEO of The Open Group,
presented certificates to the first certified services providers and
practitioners:
- S/MIME Secure Messaging SERVICES: for
companies who have skilled practitioners who are able to deploy
secure email systems:
- The Boeing Company
- Noventum Consulting GmbH
- Research Environment for Global Information Society, REGIS
- The Open Group Messaging Forum
- S/MIME Secure Messaging CERTIFIED: for
individuals who have the appropriate knowledge and understanding:
- Stephan Wappler, Noventum Consulting GmbH
- Masao Shibutami, Asahi Techneion Co.
- Akiharu Shitama, Asahi Techneion Co.
- S/MIME Secure Messaging TRAINING: for in-depth training courses that address all of the topics necessary to
understand how to deploy secure email systems:
Quotes about the importance of the program were:
- Allen Brown: "This is an important certification program
that addresses a major industry need. It is especially gratifying to
see industry partners working together to develop this certification
program. Members of The Open Group Messaging Forum can be
proud of their achievements."
-
Brad Wright, Manager, Enterprise Messaging
Services from Boeing: "This addresses a key objective for the Boeing
Company. It will enable us to meet our targets for deployment of secure
email with our major business partners."
- Uwe Rotermund, CEO of Noventum Consulting:
"Noventum is proud to lead this important activity in Europe. Secure
Messaging is strategic for our company and its clients."
- Jack Fujieda, President and CEO of ReGIS, Inc.:
"Japan has traditionally been a follower of standards activities and
certification. This time, I had the opportunity to be at the
forefront of this program, which reflects the importance of security
to the Automotive and Aerospace Industries in Japan."
In support of the program, Wen Fang from the Boeing Company and
Stephan Wappler from Noventum AG presented a training course for
individuals considering taking the examination to become S/MIME Secure
Messaging CERTIFIED.
Visit The Open Group for more
information about this program and to
participate in the certification program. An up-to-date
register
of certified organizations and individuals is also available.
Working Sessions
Working sessions for members of the Messaging Forum were held to
progress the work of the Forum in several areas.
CALL
FOR PARTICIPATION: The Forum took a far-reaching decision regarding participation
in its work programs. In future ALL members of The Open Group
may participate in the working activities of the Messaging
Forum, not only those members who have selected Messaging as
their Forum of choice. A formal call for participation will be
issued shortly. Meanwhile, any member of The Open Group
interested in participation in any of the following programs
should contact
Mike Lambert, the Forum Director, by email.
Secure Mail Gateway Strategy
The objective of this working session was to establish a strategic
direction for the future of the
S/MIME Gateway Certification program (launched in July 2004).
Topics addressed during the meeting included:
- Experience with SMGv1: Members of MHDC
have expressed satisfaction with the program. Tufts Healthcare and
Commonwealth of Massachusetts are "happy users". Vendors of
conformant products are disappointed with the market take-up and
report that the volume of mail encrypted at the gateway using the
SMGv1 profile represents a small proportion of the total mails sent.
- Role of Proxy Solutions:
Particularly in Europe, the use of systems which manage individual
user certificates at the domain gateway is growing.
- Role of TLS: Network-level security
(using TLS between gateways) is increasingly used for email
encryption. There remain reservations about the extent to which it
provides the absolute control of encryption necessary for regulatory
compliance.
- Growth in PGP: All vendors
represented at the meeting include support for PGP encryption. This
is not currently based on any open standard. PGP Corporation expressed a
desire to establish an Open-PGP standard.
- Microsoft Plans: At a special
briefing alongside a recent E-Mail Authentication Summit, Microsoft
revealed plans to incorporate gateway-level security
(encryption/signatures) at the domain gateway, using keys stored in
DNS, in the upcoming release of Exchange. Exchange 12. This will use
an XML-based format for mail messages to improve the level of
security (by encrypting mail headers). Those present agreed that
this potentially represents an exciting route forward, which could
address a lot of known restrictions associated with the Internet
mail system. However, this will only work if the specifications are
available openly to ensure broad support by MTA vendors. More
information about the approach proposed is needed.
- Strategy: It was agreed that the
focus of the program should be extended and should embrace different
modes of operation typically supported by outgoing mail
gateways. It should support:
- S/MIME, PGP, and potentially the new Microsoft XML mechanisms
- Both gateway and desktop operation at the recipient
- Domain signatures
Federated Free/Busy
The objective of this working session, jointly promoted by the
Calendaring & Scheduling Consortium, was to decide how to address
the business problem defined in the
Federated Free/Busy scenario.
Topics addressed during the meeting included:
- Confirmation of Problem:
Participants confirmed their understanding of the problem and how it
can be constrained to enable a solution to be developed in the
required timescale.
- Review of Status of CalDAV: The
CalDAV scheduling specifications will not be completed in the
required timescale. Product vendors present at the meeting agreed
that it would be possible to implement a subset of the protocol to
provide the free/busy information needed to meet the requirement.
- Architecture: An output of the
workshop was an architecture document showing the components needed
to address the requirement. Task to be competed include:
- Provision of API/protocol to retrieve free/busy information from
server-based calendaring systems
- Selection of a User Interface to display the results of a
free/busy query (candidates include the clients within Outlook and
Lotus)
- Develop "connectors" to link clients/servers
- Strategy: It was agreed that The
Open Group and the Calendaring and Scheduling Consortium will
continue to work together on Federated Free/Busy. Two vendors agree
to demonstrate interoperability of free/busy information at the next
Calconnect meeting in May 2006.
Manager's Guide to Message Retention
The objective of this working session was to develop a proposal for a
new work item to develop a Manager's Guide to Message Retention.
- Background: EMA produced the
Message Retention Toolkit around 10 years ago. The content is now
out-of-date. Organizations need guidance on how to ensure that their
messaging systems are compliant with recent regulation.
- Proposed project: Develop a
Manager's Guide to Message Retention to: “provide guidance to
enterprises in establishing message retention and associated
policies that balances requirements for regulatory compliance,
litigation support, with the resources needed within the enterprise
to manage the messaging system.”
- Scope: While there is a need for
broad guidance in all areas of messaging policy, it was agreed that
the focus of this project should be Email Message Retention, but
must include the implications of local copies of emails on any
retention policy.
